u/Extra-Counter-9689

I started a compnay last year in the B2B space and we have gotten a few smaller clients but recently we started talking to our first enterprise customer and got a vendor security questionnaire from them.

Most of it is pretty normal stuff like data handling, access contrlls, backups, MFA, policies, etc. But one question specifically asks whether we havve had a recent third party penetration test/security audit done, and if we can provide some kind of report or summary letter.

We haven’t done one yet. Were still small, so up until now security has mostly been us following best practices, keeping things locked down, and fixing issues as we find them. We haven’t had an outside firm formally test the app.

Our CTO thinks we should probably get one done now since customers are starting to ask for it. We got a quote from StealthNet AI for around $5k and are talking to a few other firms this week. The price seems okay and the firm looks solid, but I honestly have no idea what’s normal for a small SaaS.

For others when did customers start asking you for pentests?

Did having a pentest report or summary letter actually help with vendor/security reviews?

Also curious what people paid for their first one.

I’m a non technical founder and mostly vibecoded my app, so I’m a little lost onn thsi.

We have a potential client going throuh their vendor/security review and they sent us a security questionnaire. A few of the questions are asking if we have SOC 2, if we do regular penetration testing, and if we can provide a recent pentest report.

We are still pretty early and honestly haven’t done any of this yet. The app is not huge, but it does have user accounts, a dashboard, and some customer data. I always assumed SOC 2 and pentesting were things bigger companies dealt with later, but now it seems like this could block the deal. I dont think we can pay 40k for SOC 2 at the moment but a buddy of mine said a lot of firms will accept a pentest report if we dont have our SOC 2.

I started looking around and the pricing is all over the place. One larger firm(Rapid7) quoted us around $17k for the penetration test, which feels insane for where we are. StealthNetAI quoted us around $5.5k for a smaller web app pentest, which seems way more reasonable, but I’m trying to sanity check what other founders have actually paid.

For other nocode / vibe coded SaaS founders:

Did you get SOC 2 or a pentest because a client asked for it?

Is a pentest usually enough for the security questionnaire, or do clients expect full SOC 2 too?

How much did you pay for a basic web app pentest?

Trying to figure out if this is normal and what the easiest path is without overcomplicating it.

We are preparing for SOC 2 and I am trying to sanity check the penetration testing piece. Sorry in advanced im not very technical.

We are a smaller company, but larger customers are starting to ask for more security documentation. A few security questionnaires have asked whether we perform regular penetration testing, so we are looking into getting one done before it becomes a blocker in a sales process.

The part I am struggling with is pricing and scope. Our environment is fairly small, but the quotes we have received are wildly different. Rapid7 quoted us around $37k, which felt pretty high for where we are as a company. StealthNet AI quoted around $6.5k, which seems much more reasonable, but I am trying to sanity check what other IT teams have actually paid for a SOC 2 related pentest and what was included in that scope.

For companies that have gone through SOC 2 or enterprise security reviews:

Did you get a pentest before the audit or only after customers asked for it?

What was included in scope:? Web app, external network, cloud, internal, API, or something else?

What price range did you see for a smaller environment?

Did the auditor or customer care about the brand name of the pentest firm, or mostly the quality of the report, methodology, and remediation evidence?

Trying to avoid both overpaying and under scoping this.

Our vCISO said we need to start following PCI requirements because we handle credit card data, but I wanted to make sure I understand what is actually required. He said we need quarterly vulnerability scans and a penetration test once a year. I was curious how common this is and whether other companies that process or store cardholder data are doing the same thing.

We are a smaller company, so this is still pretty new to us. Our vCISO said we should start getting our security program in order now, including things like access controls, vulnerability management, secure development practices, evidence collection, quarterly scans, and an annual pentest. He also mentioned that depending on how we handle cardholder data, we may need to complete a PCI SAQ or go through a more formal PCI assessment.

For the pentest, we got quotes from two companies, but I am not sure what the average price should be. Our environment is pretty small, but the quotes were very different. Someone recommended NCC Group, and they gave us a $40k quote, which seems very expensive. We also got a quote from StealthNet AI for $6.5k, which seems more reasonable.

I am curious what other people have paid for penetration testing when preparing for PCI. Are quarterly scans and a yearly pentest standard if you handle credit card data, or does it depend on your exact PCI scope?

Our vCISO said we need to get a penetration test done as part of preparing for CMMC, but I wanted to make sure. We are trying to sell into companies that work with the DoD, and CMMC keeps coming up during the sales/security review process. I was curious how common this is and whether it is something that will come up a lot if we keep going after defense contractors or companies handling CUI.

Our vCISO said we should start getting our security program in order now, including things like policies, evidence collection, access controls, vulnerability management, and a penetration test. He also mentioned that we may eventually need a formal CMMC assessment depending on what level our customers require.

For the pentest, we got quotes from two companies, but I am not sure what the average price should be. Our environment pretty small, but the quotes were very different. Someone recommended Rapid7, and they gave us a $40k quote, which seems very expensive. We also got a quote from StealthNet AI for $6.5k, which seems more reasonable.

I am curious what other people have paid for penetration testing when preparing for CMMC. Is this something we should do now, or can we keep pursuing customers and wait until a specific contract requires it?

I'm a little lost here. I was filling out a vendor questionnaire and it asked if we have ever gotten a pentest which we havnt. When I gave it back the client they said that we would need to get that done before they proceed with us. Im not really that technical so I am not really sure where to start on this. Im assuming we just need to test our web site or something.

If anyone has gotten a test like this before I would be curious to know who you used , how much it cost, and how long it took. Ideally I would like to find something that is affordable and quick so I can move on.